The operating system my web server runs on is (include version): deamon 8

My hosting provider, if applicable, is: duocast

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): plesk

Im running the letscenrypt plesk extension on 1 of our servers. Ik have 2 subscriptions with each 230 domains. Last week 350 domains got renewed by the cron, which runs daily, but the last 150 have the “pending authorization” error.

The strange thing is that i see this error block with this domain a serveral times. So i think it tries to renew more then once? Can someone explain how i can fix this? I also read about “Clearing pending authorizations”, how can i do this? And is it smart to do this now?

I hope soneone recognises my issues and knows the solution. Because i really need my pendings domains to renew within 27 days.

However, I would caution you against just registering a new account and marching on as if nothing had happened, as the issue will probably come up again if the Plesk extension continues to cause these pending authorizations to stack up. You’d need to report this behavior to the developer of the extension. and it would be helpful to send them a long history of logs as well.

There’s no problem with it running hourly, it should only actually “do things” when necessary. However, when it is malfunctioning (as it has been for you), this may cause the pending authorizations to stack up very quickly.

rutgergrasgroen:

Ok. Can i rename the registration file without any trouble for my existing cert which got succesfully renewed?

I’m not sure, it might be dangerous. I don’t use Plesk. You may need to reach out to Plesk support to figure that part out - the Plesk developers don’t hang out on this forum.

It won’t break your existing certificates but it could interfere with future renewals.

That’s true, but they might be able to figure out whether the necessary authorization identifier data has been logged somewhere, or whether there’s a straightforward way to force Plesk to create a new ACME account.

I’m not sure how low long pending authorizations are kept open before they expire, so I’m not sure whether you’ll be waiting 7 days or 30 for 7 them to expire naturally

i recently went through a similar problem …

Last week it was: 7 days for a pending authorization to expire; 30 days for a successful validation to expire.

Now please don’t yell at me, LetsEncrypt staff, but this is a suggestion for debugging/fixing this situation (though not the Plesk bug)

There was a boulder/LetsEncrypt update a while back where the pending authorizations are cached/re-used during the expiry. Stated differently… every time “Account A” asks to validate “domain1.example.com”, it should return the same authorization challenge (I’m not sure if it will be the same once a validation is triggered or not).

With a ratelimit of 300 pending authorizations, ~300 updated domains, and ~150 that haven’t updated… I would be led to believe there are (somehow) pending authorizations left on the domains which successfully authorized.

I think it should be possible to iterate over the ‘correct’ domains and request a new authorization for them. If the request doesn’t fail from the ratelimit, that should be an existing pending authorization – and you could then use that authorization info to issue a cancel request.

I think it should be possible to iterate over the ‘correct’ domains and request a new authorization for them. If the request doesn’t fail from the ratelimit, that should be an existing pending authorization – and you could then use that authorization info to issue a cancel request.

I won’t yell at you. I think this is actually a very reasonable and good suggestion. The goal of implementing pending authz reuse was to making “pending authz rate limit” a thing of the past. Certainly the number of people having this problem has decreased a lot.

One category where people still tend to run into this problem is when issuing for more than 300 domains more-or-less simultaneously, since you can wind up having 300 authorizations pending before you start validating some of them.

One small suggestion for this particular case: Try spreading out your renewals a little bit so you have more like 100 per day. That way you’re less likely to run into the pending authz limit when doing big batch renewals. In our integration guide we recommend randomizing renewals a little bit so if you onboard a bunch of domains over time, eventually your renewals spread out so they’re not all on the same day.

_az:

I’m not sure how low long pending authorizations are kept open before they expire, so I’m not sure whether you’ll be waiting 7 days or 30 for them to expire naturally …

Thank you. The first pending error was from last sunday. So i guess ill have to wait till tomorrow and see what happens. IF they are not renewed by monday, ill have to try and make new registrations, right?